ICO issues new guidance on deleting personal data
The collection, storage and use of personal
data in the UK is governed by the Data Protection Act 1998 (DPA).
DPA compliance is policed by the Information Commissioner's
Office (ICO).
The DPA defines "personal data" broadly so
that it catches almost all data relating to an identifiable living
individual, regardless of whether the data is stored in hard-copy
or electronic format.
Under the DPA, all data controllers (any
organisation that determines, either alone or jointly with others,
the purposes for which and the manner in which any personal data
is, or is to be, processed) must ensure they comply with the eight
data protection principles set out in the DPA whenever they
collect, store or use personal data. Those eight principles
require that personal data must:
- be processed fairly and lawfully
- be obtained and processed only for one or more specified and
lawful purposes
- be adequate, relevant and not excessive
- be accurate and kept up-to-date
- not be kept for longer than necessary
- be processed in accordance with the rights of the
individual
- be kept secure, and
- not be transferred outside of the European Economic Area unless
adequate levels of protection exist.
Unfortunately, the DPA does not say how long
personal data may be kept for the purposes of the fifth principle
(the requirement that personal data must not be kept for longer
than necessary) so organisations must make their own decision as to
what is appropriate in the circumstances. The general rule is
that personal data should be deleted or destroyed once the purpose
for which it was collected has been completed.
As organisations become more technologically
advanced, compliance with the fifth principle becomes more
difficult. In the 'old days' it was fairly easy for
organisations to shred hard copy files to destroy redundant data.
However, the dawn of the 'tech era' has made compliance
tricky. It is now extremely difficult from both a practical
and technological perspective for organisations to delete personal
data from their systems. It is often the case for data that
has been 'deleted' to still exist in some form within the
organisation's systems, such as on back-up servers or in electronic
waste baskets.
The ICO in its new guidance says it recognises
that deleting personal data from a system is not always
straightforward and that it is possible to put personal data
'beyond use' and for data protection compliance to be suspended in
respect of such personal data provided that certain safeguards are
put in place. Those safeguards dictate that the
organisation:
- is not able, and will not attempt, to use the personal data to
inform any decision in respect of any individual or in a manner
that affects any individual in any way
- does not give any other organisation access to the personal
data
- surrounds the personal data with appropriate technical and
organisational security measures, and
- commits to the permanent deletion of the personal data if, or
when, this becomes possible.
In its guidance, the ICO says that
organisations can retain personal data they would otherwise be
required to delete if, for technical reasons, they are unable to
detach that personal data from other legitimately held personal
data contained in the same batch.
The ICO has also acknowledged that the DPA
does not apply to personal data that has been deleted with no
intention of future use, but which may exist in the electronic
ether.
The guidance is extremely useful and shows
that the ICO will take a sensible approach to the fifth
principle.
However, organisations should note that the
ICO's guidance does not give them carte blanche to keep
personal data forever. Putting personal data beyond use should be a
temporary measure and organisations should take what steps they can
to permanently delete personal data as soon as the purpose for
which it was collected has been completed.
